On 6/7/20 1:47 PM, Tom Eastep wrote: > Yes. As a general rule, address variables can be used anywhere that a > host IP address can be used, unless documented otherwise.
great, thx. that takes care of the 'local' shorewall instance's tracking etc of a dynamic IP address. that 'local' IP address, when static, is explicitly allowed for admin SSH access at a number of remote shorewall instances -- both in normal firewall operation, and to ensure post stopped-rule 'emergency' access. it's worked well enough. once the 'local' IP address is dynamic, and potentially changed, I'd like to accommodate change of the address in the remotes' rules. my first leaning was to setup a similar custom var in the remote's /init, populating it with a DYN_LOCAL_IPv4_ADDRESS=$( dig A dyn-local-addr.example.com @1.1.1.1 +short 2>/dev/null ) where the A record is itself dynamically updated (using `nsupdate` at my nameserver) on IP change. but, I haven't forgotten your repeated admonitions to NOT use DNS hostnames in firewall ... any best-practice suggestions for getting that dynamically-changed-local-IP into the remote FWs? if it matters, ALL my FWs are locally managed/compiled with SW, and pushed to the remotes ... _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
